Stop blaming the victims of cyber crime

Tuesday, June 25, 2019 10:00 AM

Stop blaming the victims of cyber crime

 

Imagine getting home from work and finding your house broken into.

Criminals have kicked in your laundry door and ransacked your house.  The contents of your fridge have been dumped onto the floor, and every drawer has been pulled out and the contents thrown around the room. Your wife's mother's irreplaceable jewellery, electronics, and your children's game consoles have all been stolen.  When your wife and kids get home, they are distraught.

Uniform police attend and wander through the house, looking at the damage.  Finally, one of the officers approaches you, shaking his head.

"Honestly," he says, "what were you thinking?"

You are still in shock, and look at the officer, confused.

"Who would buy a house that backs onto a public footpath? Especially when the pathway links to a park? Seriously, what were you thinking? I'm going back to the station to tell everyone how big an idiot you are...".

This is an example of 'victim blaming'.

A Common Problem

The term victim blaming was first coined by the psychologist William Ryan in 1971, when he wrote the book of the same title.  A US Legal Definitions web site describes victim blaming as "...a devaluing act where the victim of a crime...is held wholly or partly responsible for the wrongful act committed against them".

In 2017, the FBI Deputy Director Don Freese discussed the growing "lack of communication and trust between security professionals and the rest of the enterprise".  Freese discussed the "unhealthy sense of superiority in the cybersecurity field, which lead to victim blaming".

It is not just organisations like the FBI that suffer from this problem.

When talking to businesses about cyber crimes, and I reveal that 35% of listed data breaches reported to the Information Commissioner in 2019 are as a result of human error, without fail, members of the IT department will snort and say "it's 100%", and in the same breath will wonder why no one listens to them.

However, when the OAIC states that 35% of listed data breaches are human error, they are referring to unauthorised disclosure via verbal, unintended emails, publications or physical loss of paperwork or devices. This statistic is NOT referring to 'Malicious or Criminal attacks'.

Teach, don't taunt

You see, when your staff member falls victim to a phishing attack, gift card scam, etc., then they have fallen victim to a criminal attack.  When you then berate or shame them, you are saying they are "wholly or partly responsible for the wrongful act committed against them".

If you are the IT guy or girl in your organisation, or if you have 'cybersecurity' on your business card, then you need to remember that what is obvious to you is NOT obvious to everyone else, and you then have to decide if you are the educator or the enforcer within your organisation.

I have personally seen large organisations that appear to take great delight in catching their own staff out in phishing tests, and loudly proclaiming "it's name and shame time".

Awareness Training

I have also recently conducted awareness training at a large private Australian business, where both the CIO and CFO understood the need to educate their staff. Both took time out of their extremely busy schedules, and actively participated in the awareness presentations.  The system architect even spent considerable time planning and scheduling the presentations across three of their business sites, in two states.

When a member of their business recently fell for a relatively simple scam, the business acted professionally to address the issue, and the same systems architect took time out of his day to call the victim and ask, "are you okay?".

Of the two examples above, which would you prefer to work for?

Which office is developing a healthy information security mindset?

There is no doubt that for people who live and breathe information security, it appears the whole world is on the path to information security armageddon.

Changing the mindset and habits of the whole world is far from easy.

In my personal life, for all of my own ramblings, my family and friends still seem hell-bent on reusing their favourite passwords, and sharing every piece of their own personal information to the whole world, and I am often forced to close my eyes and take a deep breath.

But, I chose this career to be an educator, so I will continue to educate.

One day perhaps they may hear of a scam, or read about a security breach somewhere, and something may click.  Until then, I will keep doing what I can to help.

Stop blaming the victims of cyber crimes.  Start helping them to understand, and make sure they are OK.

About the Author

Michael Leboydre has served with the Queensland Police Service, culminating in his time as a Detective with the QPS Cyber Squad. During more than two years with the Cyber Squad, Michael conducted investigations and liaised with other state, national and international Agencies on many cases involving fraud, identity theft and other cyber crimes, including many originating in Queensland and heading interstate or overseas, and coming back the other way.

As a result of witnessing first hand the impact these crimes have on unsuspecting members of the general public, through investigations and victim statements, Michael has since devoted his time to educate all who will listen on how they can reduce their risk and exposure to these serious crimes and their devastating consequences.